Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-11-2024 10:24
General
-
Target
cbf6a9b81d7cfa68b9e3e3a971ba2f3e4df5d8fa24ee686131fc5d580ae2c91bN.exe
-
Size
337KB
-
MD5
523228639a156c5f3b4bf1e479cd40e0
-
SHA1
0452473b3ce48f913dc8be7ec401e9487ee7b2f1
-
SHA256
cbf6a9b81d7cfa68b9e3e3a971ba2f3e4df5d8fa24ee686131fc5d580ae2c91b
-
SHA512
fcceb1009bc24c058576160c2bd95b8e2464a68f5db47da73d75ecae5c6821ccff980c071fe4c7c1da9674e4c2e1d0258e6024f16fda063ea377035f9326ecfb
-
SSDEEP
3072:JQoLu/kIXXpvT9gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:JQqYkIpv51+fIyG5jZkCwi8r
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbf6a9b81d7cfa68b9e3e3a971ba2f3e4df5d8fa24ee686131fc5d580ae2c91bN.exe"C:\Users\Admin\AppData\Local\Temp\cbf6a9b81d7cfa68b9e3e3a971ba2f3e4df5d8fa24ee686131fc5d580ae2c91bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe50⤵
-
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe67⤵
-
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe69⤵
-
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe70⤵
-
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe71⤵
-
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe72⤵
-
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe73⤵
-
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe74⤵
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe75⤵
-
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe76⤵
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe77⤵
-
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe78⤵
-
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe79⤵
-
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe80⤵
-
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe81⤵
-
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe82⤵
-
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe83⤵
-
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe84⤵
-
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe85⤵
-
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe86⤵
-
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe87⤵
-
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe88⤵
-
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe89⤵
-
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe90⤵
-
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe91⤵
-
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe92⤵
-
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe93⤵
-
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe94⤵
-
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe95⤵
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe96⤵
-
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe97⤵
-
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe98⤵
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe99⤵
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe100⤵
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe101⤵
-
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe102⤵
-
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe103⤵
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe104⤵
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe105⤵
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe106⤵
-
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe107⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe108⤵
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe109⤵
-
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe110⤵
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe111⤵
-
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe112⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe113⤵
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe114⤵
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe115⤵
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe116⤵
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe117⤵
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe118⤵
-
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe119⤵
-
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe120⤵
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-